Calculating the Costs of Cyber Crime

On Monday, Security Fix looked at figures published by the Justice Department suggesting that the FBI had between 3 and 6 percent of its field agents dedicated to fighting cyber crime. On the surface, that number may seem low for an area the FBI rates as its No. 3 priority, behind only counter-terrorism and counter-espionage activities.

Is that ratio appropriate? The only real way to know is to try to figure out how costly the cyber crime problem is in the first place. After all, how can we judge the proper level of resources to throw at a problem if we don't have a good idea of just how bad cyber crime is?

The problem, it seems, is that nobody really has any clue about how much cyber crime is costing U.S. businesses and consumers each year. The best guesses so far have been just that, and have ranged all over the map. Valerie McNevin, a former Bush administration official, once famously stated that the cyber crime problem had ballooned to a $105 billion a year problem. McNevin's comments were recently echoed by an executive at anti-virus maker McAfee, but most of the security experts I've seen asked about this statement have dismissed it, saying that estimate is far too high.

So what does the government say? If we want to know how much cyber crime costs U.S. businesses annually, we can consult an FBI survey released in 2006, which estimated that companies collectively spend about $67 billion dealing with viruses, spyware, data theft and other computer-related crimes. That study dealt with responses from 2005, so the same analysis conducted today would almost certainly produce a higher figure.

But what of the cost to consumers? The Federal Trade Commission says identity theft is a crime that affects 10 million U.S. consumers each year, at a cost of about $50 billion. (A more inclusive and accurate term for this type of crime is "identity fraud," which encompasses not only new and existing account fraud but also credit and debit card fraud, phishing, and theft of data from computer intrusions).

So how much of that $50 billion is related to cyber crime? That also is not a simple question to answer. But in an interview I had last week with Shawn Henry, assistant director of the FBI's Cyber Division, Henry said he believes that "the majority of identity theft now results from computer intrusions," noting the "sheer volume" of consumer data being stolen by invasive computer programs, such as keystroke loggers.

If we assume for the moment that Henry's statement is reasonably accurate, that means that at least $26 billion in consumer identity fraud is the result of cyber crime. All of a sudden, McNevin's $105 billion cyber crime estimate doesn't seem so far off the mark.

But wait a minute. Aren't there any statistics about fraud that America's banks themselves have to report to the government? Yes, and no.

All financial institutions have to file "suspicious activity reports" -- or SARs -- that cover stock transactions, money deposits, withdrawals and transfers that bank officials and security regulators suspect may be related to fraud or money laundering activities. The banks and brokerages file these reports with regulators by the truckload every year, and there are literally mountains of these reports at the Financial Crimes Enforcement Network's (FinCEN) Web site for anyone who wants to pore over them.

The biggest shortcoming of the SARs process is that at the end of the day the filings don't say how much money is involved. Even when these individual reports are described in the aggregate, there are no monetary figures attached. What's more, there appear to be a great number of inconsistencies in the way banks classify and report the same suspicious transactions.

Chris Hoofnagle, senior fellow with the Berkeley Center for Law and Technology, believes that the United States could get a better handle on cyber crime and identity fraud if banks were required to disclose more fraud data, such as the volume of money involved in the crimes (including fraudulent transactions where the consumer/business was ultimately made whole or where anti-fraud measures foiled the attempted theft of funds).

In an article written for the forthcoming Fall issue of the Harvard Journal of Law & Technology, Hoofnagle says such a requirement would not only give Congress and the public a better sense of the resources needed to combat this type of crime, but also could create a secondary market where banks compete on ways to better protect consumers.

"Currently we don't know the scope of the problem," Hoofnagle writes. "We do know that it is a big problem and that the losses are estimated in the tens of billions. Without reporting, we cannot tell whether the market is addressing the problem. Reporting will elucidate the scope of the problem and its trends, and as explained below, create a real market for identity theft prevention."

Hoofnagle also takes aim at the claim that consumers don't bear the costs of identity theft, which conventional wisdom says is usually assumed mostly by lending institutions and merchants. "Consumers ultimately pay for the crime through lost time, inconvenience, higher financial services fees, and sometimes through out-of-pocket costs. There is another, largely unknown way in which we all pay for identity theft that causes the market not to correct the problem: lending institutions write their losses off against corporate income taxes."

Chuck Wade, a financial industry security expert and co-founder of Interisle Consulting Group, which consults for some of world's largest financial institutions, said a lack of oversight, transparency and fraud reporting -- particularly in the securities industry -- is precisely the type of environment that led to the current sub-prime mortgage fiasco.

"The question is when does (fraud) become big enough to affect the financial status of the banking industry?" Wade said. "In the case of mortgage-backed securities, obviously things changed in the marketplace such that that exposures previously hidden became visible. Identity fraud and cyber crime may or may not be the same kind of thing: right now, it's there and it's managed, and doesn't appear to be huge problem, but it could very easily become a big problem."

As the current sub-prime meltdown shows, a crisis of confidence in one sector of financial industry can have huge ripple effects on all other areas of the market. This is in large part, Wade said, because the bank stocks themselves are a proxy for the success of the credit card industry and the measure of consumer debt. Back in the 1960s, he said, the financial industry represented about 5 percent of U.S. gross domestic product. Today, the industry's share of GDP is closer to 30 percent.

"When it comes to [disclosing fraud rates], the financial industry would say these disclosures don't affect our standing because of course we'll take care of our customers: If we find a customer who's been defrauded, we'll make them whole," Wade said. "The flip side of that is that the purloining of financial data has become a major industry in its own right, and so we now have this growing level of exposure that really wasn't there before. And before the recent [debt] market meltdown, nobody really understood how the market was being impacted by mortgage-backed securities. In the same way, nobody really knows now how much financial institutions are impacted by this new type of fraud that steals information at a wholesale level."

For a while it looked like the nominal victims of cyber-crime were going to advertise netizens into oblivion (!SPAM!) too, but I don't see legislation or excessive commercial noise as the modern day version of the poet's Fire and Ice.

More likely is that cyber-gangsters will be undone living life large and tripping over the little stuff. They got Al Capone on tax evasion, after all.

There is a very interesting consumer security company called Trusteer (http://www.trusteer.com) that has a new technology built for consumers that helps address identity related fraud. (Disclaimer: I only heard about them through a friend at a bank but have not tried their software).

"Bastiat used the example of the a broken window. Repairing the window stimulates the glazier's pocketbook. But unseen is the loss of whatever would have been done with the money instead of replacing the window. Perhaps the one who lost the window would have bought a pair of shoes. Or invested it in a new business. Or merely enjoyed the peace of mind that comes from having cash on hand."

Spending money on security breaches is repairing a broken window. Spending money to prevent security breaches is like hiring a guard to try to prevent a broken window. In either case, it would have been more productive to be able to invest either amount of money, and a wise investment would have had a positive ROI. This is why we do not spend time breaking and repairing windows for a living in rich economies.

I run an internet business called ID THEFT PROTECT here in the UK. We provide education, awareness and solutions to consumers and businesses.

In relation to this article, we believe that cybercrime is 10 years away from being something that is used to bring a country to it's knees. It will happen and govt will in time have to react. The problem as with any crime, Govt will only do something if it happens - there is of course much wider issues e.g public confidence in the Govt and finding the money to pay for the security that is needed!